Why you should adopt a cautious approach to kernel mode anti-cheats

In the last couple of decades, the gaming industry has risen to become one of the top providers of entertainment. Be it in the form of attending e-sports events, watching playthroughs or by directly engaging in gameplay, more and more people are dealing with video games in their free time. With this stark rise in popularity came also a rise in market value, the gaming industry is prognosed to achieve a worldwide market value of 200.8 billion dollars by 2023 (Statista, 2021). In 2020, gaming was the most lucrative sector of the entertainment industry, surpassing both the sports and movie industry (Witkowski, 2021).   

Still, this growth also has its downside. An increase in players has subsequently led to a rise in dishonest players. Therefore, it comes as no surprise that gaming companies have started to increasingly look into the implementation of anti cheat systems. Anyone who has played major game instalments, especially multiplayer games, might be aware that the companies publishing these games deploy an automatic anti cheat system. Anti-cheats are needed more than ever, since even in non-competitive games, there is a “chronic cheating problem” (Stuart, 2021). Anti-cheats aim to level the playing field, giving all users the same chance. Additionally, cheating can lead to financial losses for gaming companies, increasing the urgency for a proper anti cheating policy (Mørch, 2003).

But why do people even cheat? The most obvious answer is to gain an advantage. According to psychologist Corey Butler, cheating “is strongly related to self-enhancement and impression management”. It is about status among peers, as well as recognition. At the same time, cheating can also refer to the boosting of other players (“boosting” refers to the process of artificially enhancing the rank of a lower skilled player by a higher skilled player in a video game) or the selling of cheating programs. A market has already developed around this service, making the offering of cheating in video games a lucrative way to earn money (as long as one does not get caught).

Cheating has been around ever since the first game was published. Some publishers tolerate or even condone cheating (predominantly in single player games, players of The Sims franchise will be very familiar with a variety of cheats that were actually built into the game), but most gaming companies do not take too kindly players trying to gain an unfair advantage through cheating, resulting in the emergence of anti-cheat systems. As games have become more sophisticated, people have found novel ways to cheat in them, resulting in a contemporaneous evolution of anti-cheat systems.

How did anti-cheats traditionally function? To answer this question, it is first necessary to understand what the concept of a protection ring on a computer is and how it functions.

In order to restrict access to data stored on a device, access to resources is partitioned into various segments in a variety of operating systems (Wiley, 2011). This structure is commonly known as hierarchical protection domains or protection rings. Depending on their “clearance”, certain programs/users/applications, etc. are either allowed or denied access to resources. The different segments are labelled “ring 0”, “ring 1”, “ring 2” and “ring 3”, with ring 0 having the highest level of privilege and ring 3 the least. To be more concrete, ring 0 can access anything on the other three rings, ring 3 is only able to access resources within ring 3 clearance.

Until recently, most anti cheats used to access ring 3, also referred to as the user mode. But with the increase in sophistication of cheating programs, kernel-level cheating tools have started to appear (e.g, Sunadham). Ring 3 anti-cheats were unable to detect these software used for cheating due to its restricted scope. Thus, this malicious software appeared to be a legitimate program to the anti-cheat and was not blocked.

Various gaming companies saw the necessity of deploying “stronger” anti-cheat software, resulting in the new trend of kernel mode anti-cheats, or ring 0 anti-cheats. This variety of anti-cheat has, in theory, unlimited access to the system’s memory and hardware, due to it running with ring 0 privileges. These more novel anti-cheat variants are employed for example in games such as Valorant or Genshin Impact, both relatively new games that have gained large popularity over the last year.

Kernel mode anti cheats are able to block the usage of certain programs that they deem to be cheatware (i.e., software used specifically for cheating), even if it might be legitimate software (Forte, 2020). Another difference is that kernel level programs start operating as soon as Windows boots up and not only when the user chooses to run the respective program. This means that this type of anti-cheats are constantly running in the background, which some users might be unaware of, possibly creating a security exposure to the rest of the system. Runtime errors would thus not limit to making the relevant application crash but could lead to the whole system crashing (Orland, 2020). Finally, the most critical aspect is that a malfunctioning or misconfiguration of the anti-cheat software could possibly open the door for attackers to install their malicious software at kernel level, granting it a high level of privileges. Of course, gaming companies would have a lot to lose in this case and are therefore going to closely monitor their application, but users should keep this possibility in mind.

What conclusions can be drawn from this?

Users should be aware of the high system privileges they are granting gaming companies through these ring 0 anti-cheats and evaluate whether it is worth it for them to continue playing the game. If players deem it acceptable or do not want to give up on playing a certain game, that is perfectly legitimate. But as with many aspects in life, it is of the essence that people make an informed choice!



Gaming market value worldwide 2012-2023. (2021, January 29). Statista. https://www.statista.com/statistics/292056/video-game-market-value-worldwide/

Forte, L. (2020, May 11). Valorant ha gravi problemi col suo sistema anti-cheat. La Gazzetta dello Sport. https://esports.gazzetta.it/news/11-05-2020/valorant-ha-gravi-problemi-col-suo-sistema-anti-cheat-57753

Mørch, K. (2003, January 8). Cheating in online games-threats and solutions. Publication No: DART/01/03. Norwegian Computing Center/Applied Research and Development. https://www.nr.no/directdownload/Cheating_in_Online_Games.pdf Orland, K. (2020, April 14). Ring 0 of fire: Does Riot Games’ new anti-cheat measure go too far? Ars Tecnica.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: